Home Decisions

Decision 289/2025

Decision 289/2025:  Internal review and report


Authority: Chief Constable of the Police Service of Scotland
Case Ref: 202500441
 

Summary

The Applicant asked the Authority for a copy of an internal report produced by a Detective Inspector and sent to a Chief Inspector.  The Authority withheld the information as it considered the information to be personal information.  The Commissioner investigated and found that the information had been correctly withheld. 

Relevant statutory provisions

Freedom of Information (Scotland) Act 2002 (FOISA) sections 1(1), (2) and (6) (General entitlement); 2(1)(a) and (2)(e)(ii) (Effect of exemptions); 38(1)(a), (b), (2A), (5) (definitions of “the data protection principles”, ”data subject”, ”personal data” and ”processing”, “the UK GDPR”) and (5A) (Personal information); 47(1) and (2) (Application for decision by Commissioner).

United Kingdom General Data Protection Regulation (the UK GDPR) articles 4(1) (definition of “personal data”) (Definitions); 5(1)(a) (Principles relating to the processing of personal data); 6(1)(f) (Lawfulness of processing).

Data Protection Act 2018 (the DPA 2018) sections 3(2), (3), (4)(d), (10) and (14)(a), (c) and (d) (Terms relating to the processing of personal data). 

Background

  1. On 6 September 2022, the Applicant made a request for information to the Authority. He asked for a copy of the report from a named Detective Inspector sent to a named Chief Inspector as described at point (7) in his Subject Access Request (SAR) application:

    (7) Email from the Detective Inspector dated 4 October 2021 confirming he had ‘completed my overarching review’ and had ‘forwarded my report’ to the Chief Inspector ‘for his continued information and further guidance’. 

  2. The Authority responded on 7 October 2022, in terms of Article 15 of the UK General Data Protection Regulation and section 45 of the Data Protection Act 2018, advising that there was no official report raised but that a short email was sent to the Chief Inspector.  It stated that a copy of the email was no longer held as it was sent over 18 months ago.
  3. On 10 October 2022, the Applicant wrote to the Authority requesting a review of its decision. The Applicant stated that he was dissatisfied with the decision because he believed the Authority did hold the information requested.
  4. The Authority notified the Applicant of the outcome of its review on 13 October 2022, which fully upheld its original response.  It explained that it had contacted the Detective Inspector named in the request, who had explained that there was no report as such, but they had sent a short email to the Chief Inspector named in the request.  They stated that the email had been relayed to the Applicant previously and that they no longer held the email, as it was dated over 18 months ago.
  5. On 6 December 2022 the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA as he did not agree that no further information was held.
  6. During that investigation the Authority located information relevant to the request, and on 21 January 2025, Decision 008/2025[1] was issued requiring the Authority to issue the Applicant with a revised review outcome and, if it considered any of the information it identified to be exempt from disclosure under FOISA as the Applicant’s own personal data, to provide him with advice and assistance on how to make a  SAR  under the UK GDPR for that information.
  7. On 7 March 2025 the Authority issued the Applicant with a revised review outcome stating that it held information but that this information was being withheld under the exemptions at section 34(1)(a)(i) & (b) (Investigations by a Scottish public authority) and 38(1)(a) and (b) (Personal information) of FOISA.
  8. On 21 March 2025, the Applicant wrote to the Commissioner, applying for a decision in terms of section 47(1) of FOISA.  The Applicant stated he was dissatisfied with the outcome of the Authority’s review because he was dissatisfied with the fact that he was not receiving the correct personal data that he asked for because of a refusal under FOI legislation. 

Investigation

  1. The Commissioner determined that the application complied with section 47(2) of FOISA and that he had the power to carry out an investigation.
  2. On 27 March 2025, the Authority was notified in writing that the Applicant had made a valid application.  The Authority was asked to send the Commissioner the information withheld from the Applicant.  The Authority provided the information and the case was allocated to an investigating officer.
  3. Section 49(3)(a) of FOISA requires the Commissioner to give public authorities an opportunity to provide comments on an application.  The Authority was invited to comment on this application and to answer specific questions.  These related to why the Authority considered the information to be the personal information of either the Applicant or third parties.
  4. The Applicant was also invited to make any submissions he wished the Commissioner to consider, which he did.  By way of background, the Applicant explained that he had previously submitted an original evidence folder and enhanced evidence folder to the Authority.
  5. As the Applicant has only challenged the Authority’s handling of his request as it affects personal information, in this decision the Commissioner will only be considering the Authority’s reliance on sections 38(1)(a) and (b) of FOISA. 

Commissioner’s analysis and findings

  1. The Commissioner has considered all of the submissions made to him by the Applicant and the Authority.
  2. The withheld information in this case comprised of one document that was withheld in full under FOISA but had been provided by the Authority to the Applicant (with a small amount if third party personal data withheld) in response to a SAR.

Section 38(1)(a) – Personal information (requester’s own personal data)

  1. Section 38(1)(a) of FOISA contains an absolute exemption in relation to personal data of which an applicant is the data subject. The fact that it is an absolute exemption means that it is not subject to the public interest test set out in section 2(1)(b) of FOISA.
  2. This exemption exists under FOISA because individuals have a separate right to make a request for their own personal data under the United Kingdom General Data Protection Regulation (the UK GDPR). This route is more appropriate for individuals to access their personal data, as it ensures that it is disclosed only to the individual.
  3. Section 38(1)(a) of FOISA does not deny individuals the right to access information about themselves but ensures that the right is exercised under the correct legislation (the UK GDPR) and not under FOISA.
  4. Personal data are defined in section 3(2) of the DPA 2018 which, read with section 3(3), incorporates the definition of personal data in Article 4(1) of the UK GDPR:

“…any information relating to an identified or identifiable living individual ; an identifiable living individual means a living individual  who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual”.

  1. The Commissioner has carefully considered the information withheld under section 38(1)(a) of FOISA.  The subject matter of the withheld information and the way the document is written means that much of it is made up of a mixture of information relating to the Applicant and other individuals.   
  2. It is apparent that the Applicant could be identified from the information withheld under section 38(1)(a) of FOISA.
  3. The Commissioner therefore considers that the information withheld under section 38(1)(a) of FOISA is the Applicant’s own personal data and can therefore be withheld under this exemption. 

Section 38(1)(b) – Personal information 

  1. Section 38(1)(b) of FOISA, read in conjunction with section 38 (2A)(a) or (b), exempts information from disclosure if it is “personal data” (as defined in section 3(2) of the DPA 2018) and its disclosure would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  2. The exemption in section 38(1)(b) of FOISA, applied on the basis set out in the preceding paragraph, is an absolute exemption.  This means that it is not subject to the public interest test in section 2(1)(b) of FOISA.
  3. To rely on this exemption, the Authority must show that the information withheld is personal data for the purposes of the DPA 2018 and that disclosure of the information into the public domain (which is the effect of disclosure under FOISA) would contravene one or more of the data protection principles set out in Article 5(1) of the UK GDPR.
  4. The Commissioner must decide whether the Authority was correct to withhold some of the information requested under section 38(1)(b) of FOISA. 

Is the withheld information personal data?

  1. The first question the Commissioner must address is whether the withheld information is personal data for the purposes of section 3(2) of the DPA 2018 (see para 19 above for definition).
  2. Information will “relate to” a person if it is about them, is linked to them, has biographical significance for them, is used to inform decisions affecting them, or has them as its main focus.
  3. The Authority identified several individuals whose personal information was included in the withheld information.
  4. The Applicant, in his comments to the Commissioner, stated that he would be surprised if the report contained the personal data of other individuals.
  5. The Commissioner has reviewed the withheld information and as mentioned above, the nature of the document means that individuals are identified throughout it, by being named, referred to, or through the recording of a view they had given.
  6. He is satisfied that the information being withheld under section 38(1)(b) of FOISA is personal: it identifies several living individuals by name and clearly (given the context) relates to them.

Would disclosure contravene one of the data protection principles?

  1. The Authority considered that disclosing the personal data would breach the first data protection principle of Article 5(1)(a) of the UK GDPR.  Article 5(1)(a) states that personal data shall be processed “lawfully, fairly and in a transparent manner in relation to the data subject”.
  2. “Processing” of personal data is defined in section 3(4) of the DPA 2018.  It includes (section 3(4)(d)) disclosure by transmissions, dissemination or otherwise making available personal data. The definition therefore covers disclosing the information into the public domain in response to a FOISA request.
  3. The Commissioner must consider whether disclosure of the personal data would be lawful.  In considering lawfulness, he must consider whether any of the conditions of Article 6 of the UK GDPR would allow the data to be disclosed.
  4. The Commissioner considers condition (f) in Article 6(1) to be the only one which could potentially apply in the circumstances of this case.  This was also the position of the Authority in its submissions to the Commissioner. 

Condition (f): legitimate interests

  1. Condition (f) states that the processing will be lawful if it “…is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data (in particular where the data subject is a child).”
  2. Although Article 6 states that this condition cannot apply to processing carried out by a public authority in the performance of their tasks, section 38(5A) of FOISA makes it clear that public authorities can rely on Article 6(1)(f) when responding to requests under FOISA.
  3. The tests which must be met before Article 6(1)(f) can be met are as follows:

    1. Does the Applicant have a legitimate interest in obtaining the personal data?

    2. If so, would disclosure of the personal data be necessary to achieve that legitimate interest?

    3. Even if the processing would be necessary to achieve that legitimate interest, would that be overridden by the interests or fundamental rights and freedoms of the data subjects?

Does the Applicant have a legitimate interest in obtaining the personal data?

  1. The Applicant considered that disclosure of the report was an important step in the pursuit of justice.
  2. In its submissions to the Commissioner, the Authority accepted that the Applicant had a legitimate interest as regards disclosure of this information.
  3. Given the nature of the subject matter, the Commissioner agrees that the Applicant has a legitimate interest in obtaining the personal data.   

Is disclosure of the personal data necessary?

  1. Having accepted that the Applicant has a legitimate interest in the personal data, the Commissioner must consider whether disclosure would be necessary to achieve the legitimate interest in the information.
  2. Here, “necessary” means “reasonable” rather than “absolutely” or “strictly” necessary. When considering whether disclosure would be necessary, public authorities must consider whether the disclosure is proportionate as a means and fairly balanced as to the aims to be achieved, or whether the Applicant’s legitimate interest could reasonably be met by means which interfered less with the privacy of the data subject.
  3. The Authority did not consider that disclosure of the information was necessary to achieve the Applicant’s legitimate interests.  It highlighted that it had already disclosed this report to the Applicant via a SAR, with third party redactions that it stated were minimal. It considered that this was the correct route by which to receive personal data.
  4. The Applicant made no specific comment with regard to his legitimate interests or the necessity of disclosure.
  5. The Commissioner has carefully considered the withheld information, as well as the position of the Authority and the wider circumstances that were outlined in more detail by the Applicant but need not be narrated here.  
  6. He acknowledges the importance of understanding how a public authority has reached its decision.  He also recognises, from the content of the information, the significance of the subject matter to the Applicant.  
  7. The Commissioner understands that the Applicant received a copy of most of the information in response to his SAR, however, this was not until 17 March 2025, after the date he received his review outcome from the Authority (7 March 2025).  The Commissioner therefore notes that, at the time the Applicant received his review outcome, he was not in possession of the information via the SAR.  This happened subsequently and although the Applicant does indeed have most of the information now, as the Authority has stated, he did not at the time the review outcome was issued, and it is the circumstances at that time that the Commissioner must consider in this decision.
  8. Given that, and for the reasons mentioned above, the Commissioner considers that disclose of the personal data is necessary to meet the Applicant’s legitimate interests. 
  9. Consequently, he will go on to consider whether the interest in obtaining the personal data outweighs the rights and fundamental freedoms of the data subject.
  10. The Commissioner did note that it was not clear whether the Applicant was aware that the document being withheld from him by the Authority under FOISA was the same one as had been provided to him as a result of his SAR (with the minimal redactions mentioned above), and considers that it would have been helpful if the Authority had made this apparent to the Applicant at an earlier stage, possibly on responding to his SAR. 

Interests and fundamental rights and freedoms of the data subjects

  1. The Commissioner must now balance the legitimate interests in disclosure against the data subjects’ interests or fundamental rights and freedoms.  Only if the legitimate interests of the Applicant outweigh those of the data subject(s) can the information be disclosed without breaching the first data protection principle.
  2. In considering the balance between the legitimate interests and the rights and freedoms of the data subjects, it is important to take account of whether the proposed disclosure would be within the reasonable expectations of an individual.  There are factors that assist in this determination including the distinction between private and public life; the nature of the information; how the personal data was obtained; whether any specific assurances were given to individuals; privacy notices; and any policies or standard practice.
  3. The Applicant has not made any specific submissions in relation to this balancing exercise, but clearly at the time of his application wished to see the withheld information.
  4. The Authority considered that although the Applicant may have a legitimate interest, it would not be fair to the other data subjects to make their personal data public (the result of a disclosure under FOISA).  The Authority advised that one its staff had since retired and two of the other data subjects had never been named publicly in relation to this matter and would not expect to appear in public in this type of report now.
  5. The Authority’s view was that the Applicant’s legitimate interests are overridden by the interests or fundamental rights and freedoms of the other data subjects and that on that basis, it considered that disclosure of the information sought would be unlawful.
  6. The Commissioner has considered the content of the information and the likely reasonable expectations of the data subjects.  In explaining his reasoning, the Commissioner must take care not to reveal the nature of the withheld information.
  7. He does not consider that individuals who have had no dealings with the police in relation to the subject matter of the withheld information would expect their personal data to be disclosed into the public domain.  Similarly, there is no indication or evidence that other parties who are integral to the matters discussed in the withheld information are aware that their personal data is being considered in this way.  None of these parties have had the opportunity to express a view on disclosure.  
  8. Having considered all of these factors, the Commissioner finds that the legitimate interests served by disclosure of any information held would be outweighed by the unwarranted prejudice that would result to the rights and freedoms or legitimate interests of the data subjects in this case.
  9. In all the circumstances of this particular case, the Commissioner concludes that condition (f) in Article 6(1) of the UK GDPR could not be met in relation to the personal data sought by the Applicant. 

Fairness and transparency

  1. Given that the Commissioner has concluded that the processing of the personal data would be unlawful, he is not required to go on to consider separately whether disclosure would otherwise be fair and transparent in relation to the data subjects.
  2. For the reasons set out above, the Commissioner is satisfied that disclosure of the personal data would breach the data protection principle in Article 5(1)(a) of the UK GDPR.  Consequently, he is satisfied that the personal data was correctly withheld under section 38(1)(b) of FOISA.

Decision 

The Commissioner finds that the Authority complied with Part 1 of the Freedom of Information (Scotland) Act 2002 (FOISA) in responding to the information request made by the Applicant.

Appeal

Should either the Applicant or the Authority wish to appeal against this decision, they have the right to appeal to the Court of Session on a point of law only. Any such appeal must be made within 42 days after the date of intimation of this decision.

 

 

Euan McCulloch 

Head of Enforcement 

 

10 December 2025